Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 17 Mar 2012 06:18:20 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Cc: john-users@...ts.openwall.com
Subject: [openwall-announce] pwgen common password lists

Hi,

The Openwall wordlists collection (paid, full) now comes with a bonus -
two lists of passwords commonly generated by pwgen 2.06 with default
settings for output to a tty and non-tty.  These contain 44 and 45.5
million entries and they crack 21% and 75% of passwords of the
corresponding kind - for tty and non-tty, respectively.  pwgen is a
fairly popular command-line password generator program for Unix systems.
It is part e.g. of Debian and Ubuntu.

The unfortunate property of pwgen that made this possible (non-uniform
distribution and small keyspace of its generated passwords) was
discussed on oss-security and Bugtraq in January:

http://www.openwall.com/lists/oss-security/2012/01/22/6

and on john-users in 2010.

Part of the problem (small keyspace, but not non-uniform distribution)
was publicly known since 2004 (if not earlier):

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=276976

(The fix was to document the problem...)

Our wordlists with the pwgen bonus may be purchased here:

http://www.openwall.com/wordlists/

Those of you who would rather not support us may obtain almost all of
the same wordlists (but not the pwgen bonus yet) from /pub/wordlists in
our file archive and its mirrors:

http://download.openwall.net
http://www.openwall.com/mirrors/

And indeed anyone (with some shell scripting skills or the like) can
generate similar pwgen lists in a couple of days, which actually makes
me more comfortable about using ours as a way to encourage people and
companies to support our project financially. ;-)

Speaking of alternatives to pwgen, our own pwqgen (from our passwdqc
package) has been tested for (lack of) a similar issue:

http://www.openwall.com/lists/passwdqc-users/2012/01/27/1
http://www.openwall.com/passwdqc/

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ